Our approach to examinations and the assessment of examination outcomes

Introduction

We have updated our approach to examinations and assessment of examination outcomes following your feedback and recommendations from the MONEYVAL Mutual Evaluation Report.
Our updated approach is designed to:

  • support us in delivering risk-based supervision
  • drive consistency in how we assess supervised persons
  • be easier and clearer for supervised persons to understand examination outcomes

Summary of updates

We have:

  • added risk ratings of findings to reports
  • simplified reports to include:
    • a more concise executive summary
    • the objectives of the examination team in relation to each focus area examined
    • a matrix showing the risk rating associated with each finding
    • better use of tables and appendices to present data
    • simplified presentation of obligations

Rating examination findings

Findings will be rated as:

  • minor: systems and controls are assessed as being substantially effective
  • moderate: systems and controls are assessed as being moderately effective
  • major: systems and controls are assessed as being ineffective

Our rating methodology is based on a combination of the inherent risk attached to the associated obligation and the entity’s level of compliance with the obligation, as determined during the examination.

Failure to comply with an inherently higher-risk obligation increases the likelihood of financial crime, conduct or prudential risk crystallising to a greater extent than non-compliance with inherently lower-risk obligations.

Ratings provide visibility of the degree of risk presented, enabling remediation activities to be prioritised in higher-risk areas.

Responding to the outcome of an examination

We have developed our approach to assessing whether an examination's outcome is potentially serious.

An examination may uncover several issues with different degrees of risk. If any findings pose a moderate or major risk, we will consider the potential seriousness of the examination outcome. In limited cases, a single finding may be considered serious, even if others are less significant.

Assessing seriousness

Our usual approach is to assess seriousness holistically. We do this by considering a range of factors relevant to the entity and the examination findings, which may increase or decrease the risks presented. 
Factors include, but are not limited to:

  • customer base: the nature of an entity’s customer base may impact the level of risk presented by non-compliance or partial compliance. For example, if an entity has a predominantly high-risk customer base and is operating deficient systems and controls, it may be unable to effectively manage the risks it is exposed to through its customer relationships.
  • regulatory history: a poor regulatory history may indicate ongoing challenges in an entity’s ability to operate compliantly. It may also indicate broader risks existing in the entity’s business or root causes that the entity has not previously addressed. This may include a poor compliance culture or dominant director behaviour.
  • repeat findings: repeat findings or breaches indicate previous remediation has been ineffective or not maintained. This may create the risk of an entity remaining in a long-term or perpetual state of non-compliance or partial compliance.
  • systemic risks: deficiencies that are not isolated to one or two instances may indicate systemic issues and risks in an entity’s business. For example, the same deficiency repeated in multiple customer records likely indicates widespread non-compliance and may result in a heightened risk exposure.
  • business model factors: an entity’s business model may impact its ability to operate compliantly and identify and manage risks effectively. For example, outsourcing compliance activities may increase the risk of non-compliance where management oversight is limited. This may lead to ineffective risk identification and management.

Once we have identified and considered the relevant factors, we can identify the risks that may impact our guiding principles. The overarching risk types are:

  • financial crime risk
  • conduct risk
  • prudential risk

From here, we will consider the degree of risk presented by considering the extent to which the findings, resultant breaches (if applicable) and contextual factors result in the entity being:

  • under-informed about the risks it faces
  • unable to adequately monitor the risks
  • unable to adequately manage or mitigate the risks

If we conclude that an examination has a potentially serious outcome, we will consider our next steps, as set out in section 6.

Responding to a potentially serious outcome

Once we have determined a potentially serious outcome exists, we will verbally inform the entity. This will usually occur at a meeting after the on-site examination. At this stage the examination findings are in draft, pending a factual accuracy review by the entity. We maintain an open mind that the draft findings could change and, consequently, so may our view of the potential seriousness.

If the examination outcome is still considered potentially serious after the report is finalised, we will put a regulatory strategy in place. This strategy will outline how we propose to manage and mitigate the risks against our guiding principles.

The strategy could include:

  • enhanced supervision: increased supervisory engagement and focus, including more frequent meetings and regular reporting of data relevant to the risks identified.
  • engagement of heightened risk response (HRR): HRR is primarily, although not exclusively, engaged to respond to serious deficiencies or regulatory concerns. HRR is often engaged to oversee entity remediation and arrangements for post-remediation effectiveness testing. Where appropriate, HRR will use our regulatory toolkit.
  • the regulatory toolkit: regulatory tools are designed to be dissuasive and effective in managing and mitigating risks or may be used to obtain further information relevant to our supervisory function. Examples of the types of regulatory tools we use include:
    • a direction requiring an entity to undertake a specific action or activity, or alternatively, requiring it to refrain from doing so.  Directions can support us in managing an entity’s risk exposure and ensure the entity’s board and senior management focus on remediation.
    • a written warning regarding the potential risk of a civil financial penalty should an entity fail to effectively and sustainably remediate contraventions of the Money Laundering Order or Codes of Practice.
    • a legal notice which requires an entity to engage a regulatory consultant to test that remediation it has performed in response to examination findings is effective and sustainable.
  • referral to Enforcement: our Enforcement team investigates actual and potential cases of serious non-compliance. Where appropriate, Enforcement will take or propose action against an entity or individuals.

The nature of the tools used will be tailored to the identified risks or issues and will vary from case to case.